Using a filtered alias for this behaviour is not secure. See Security limitations | Elasticsearch Guide [8.11] | Elastic
The only support mechanism to provide access to a subset of documents in an index is Document Level Security.
Consider an index like this:
PUT /index-1/
{
"mappings": {
"properties": {
"app": { "type": "keyword" },
"value": { "type": "long" }
}
},
"aliases": {
"app-1": {
"filter": { "term": { "app": "one" } }
},
"app-2": {
"filter": { "term": { "app": "two" } }
}
}
}
A search on index-1 gives:
GET /index-1/_search
===
{
// ...
"hits": [
{
"_index": "index-1",
"_type": "_doc",
"_id": "1",
"_score": 1.0,
"_source": { "app": "one", "value": 1 }
},
{
"_index": "index-1",
"_type": "_doc",
"_id": "2",
"_score": 1.0,
"_source": { "app": "two", "value": 2 }
}
]
// ...
}
And a search on app-1 gives what you would expect:
GET /app-1/_search
===
{
// ...
"hits": [
{
"_index": "index-1",
"_type": "_doc",
"_id": "1",
"_score": 1.0,
"_source": { "app": "one", "value": 1 }
}
]
// ...
}
But it's possible to get non-matching documents via that alias:
GET /app-1/_doc/2
===
{
"_index": "index-1",
"_type": "_doc",
"_id": "2",
"_version": 1,
"_seq_no": 1,
"_primary_term": 1,
"found": true,
"_source": { "app": "two", "value": 2 }
}